Comments (6)
Possibly related to
hashicorp/terraform-provider-aws#4497
with TF_LOG=DEBUG
I can see that the policy is not being templated correctly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${var.cloudgoat_private_bucket_name}"
},
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${var.cloudgoat_private_bucket_name}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
DEBUG OUTPUT FOLLOWS
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::"
},
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
So it appears the default in variables.tf is not being used (although S3 bucket names have to be unique so ??)
variable "cloudgoat_private_bucket_name" {
default = "cloudgoat-bucket-private"
}
If i create a terraform/terraform.tfvars and define
cloudgoat_private_bucket_name = "kesten-cloudgoat-private-bucket"
i get another strange error:
-/+ aws_s3_bucket.cloudgoat_private (new resource required)
id: "terraform-20180802133524191600000001" => <computed> (forces new resource)
acceleration_status: "" => <computed>
acl: "private" => "private"
arn: "arn:aws:s3:::terraform-20180802133524191600000001" => <computed>
bucket: "terraform-20180802133524191600000001" => "g6" (forces new resource)
bucket_domain_name: "terraform-20180802133524191600000001.s3.amazonaws.com" => <computed>
2018-08-02T08:46:19.904-0500 [DEBUG] plugin: plugin process exited: path=/Users/kbroughton/praetorian-tools/cloudgoat/terraform/.terraform/plugins/darwin_amd64/terraform-provider-aws_v1.29.0_x4
bucket_regional_domain_name: "terraform-20180802133524191600000001.s3.us-west-2.amazonaws.com" => <computed>
force_destroy: "true" => "true"
hosted_zone_id: "Z3BJ6K6RIION7M" => <computed>
policy: "" => "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::g6\"\n },\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::g6/*\",\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n }\n ]\n}\n"
region: "us-west-2" => <computed>
request_payer: "BucketOwner" => <computed>
versioning.#: "1" => <computed>
website_domain: "" => <computed>
website_endpoint: "" => <computed>
so it looks like a random name was generated and my name gets mangled to something unexpected. Continuing to poke at it...
from cloudgoat.
Found the issue:
cloudgoat_private_bucket_name gets set in ./start.sh:
cloudgoat_private_bucket_name=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
but:
$ cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1
tr: Illegal byte sequence
Replacing the /dev/urandom with one of the following works:
cloudgoat_private_bucket_name="$RANDOM-$RANDOM-$RANDOM-$RANDOM"
cloudgoat_private_bucket_name=$(python -c "import secrets; print(secrets.token_hex(16))")
Apply complete! Resources: 38 added, 0 changed, 0 destroyed.
from cloudgoat.
Thanks for looking into this! Very helpful.
Looks like Python2 doesn't have the secrets library, so I'm thinking $RANDOM is the way to go here. I don't have a Mac, but had someone test the same command and they got the same error you did. I'll comment back here when I push up a fix
from cloudgoat.
Just pushed a branch and opened a PR. Would you mind testing it out before i merge it into master?
from cloudgoat.
Can confirm that this branch works on MacOS
from cloudgoat.
Just merged into master, thanks @MiloATH!
from cloudgoat.
Related Issues (20)
- Deployment (rds.tf) and user "calrissianInfo" permission issue - codebuild_secrets HOT 3
- cicd : ssm connection and scenario deletion HOT 4
- detection_evasion : ssm connection and git clone issue HOT 4
- Problem creating ec2 instance on ecs_takeover HOT 1
- CICD: FIX HOT 1
- Installing requirements error. HOT 4
- ecs_takeover creation fail >>> FIX HOT 6
- cicd
- Docker Build Issue: Pip Install Error
- Duplicate resource in IAM policy
- Problem creating ec2 instance on cloud_breach_s3 HOT 10
- Trying getting it to work under Windows with Zero Luck
- Cloudgoat Missing Versioning
- ecs_takeover setup error HOT 2
- glue_privesc setup error HOT 1
- Using AWS cloudGoat with aws-vault HOT 3
- Terraform not found when running CloudGoat on Kali Linux HOT 5
- Error deploying ec2_takeover senario HOT 3
- rds_snapshot depricated instance family
- Feature Request: Scenario Template & Contribution Guide
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudgoat.